Re: Help needed in getting kernel dump in QEMU VM
On 11/15/21 at 03:49pm, Dongliang Mu wrote: > On Mon, Nov 15, 2021 at 3:27 PM Baoquan He wrote: > > > > Hi, > > > > On 11/13/21 at 10:40am, Dongliang Mu wrote: > > > Hi all KDUMP maintainers, > > > > > > I would like to generate a kernel dump within QEMU VM. > > > > > > 1. I reproduced the kernel crash [1] in QEMU VM. The QEMU startup > > > script is as follows: > > > > > > qemu-system-x86_64 \ > > > -kernel $KERNEL/arch/x86/boot/bzImage \ > > > -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial > > > slub_debug=QUZ"\ > > > -hda $IMAGE/stretch.img \ > > > -net user,hostfwd=tcp::10021-:22 -net nic \ > > > -enable-kvm \ > > > -nographic \ > > > -m 2G \ > > > -smp 2 \ > > > -pidfile vm.pid \ > > > 2>&1 | tee vm.log > > > > > > The stretch.img is generated by Syzkaller script [1]. -kernel option > > > is convenient for loading any other kernels. > > > > > > 2. As the .config already has the essential > > > configuration(CONFIG_KEXEC, CONFIG_CRASH_DUMP, CONFIG_DEBUG_INFO), I > > > did not change this configuration file. > > > > > > 3. I installed kdump-tools crash kexec-tools makedumpfile > > > linux-image-4.9.0-13-amd64 in the stretch.img. Here I installed > > > linux-image-4.9.0-13-amd64 because there is no default kernel in /boot > > > directory. And to make kdump-tools working, I modify > > > /etc/default/kdump-tools in the following: > > > > > > KDUMP_INITRD=/boot/initrd.img-4.9.0-13-amd64 > > > KDUMP_KERNEL=/boot/vmlinuz-4.9.0-13-amd64 > > > > What distros are you using? Asking this because I am sure you are not > > using Fedora/RHEL OS. The implementation of kdump tools is different in > > each distros, even though the mechanims in kdump code is the same. > > > > I am using Debian stretch as the guest OS. So kdump-tools kexec > makedumpfile is all from Debian. Then I would sugest asking in a Debian/ubuntu forum or mailing list, figure out if the configuration or setting is correct. I never try Debian OS, can't help, sorry. > > > When we try to get help from upstream, considering and asking good question > > is very important for getting quick response and effective help. > > > > Thanks > > Baoquan > > > > > > > > 4. I append "crashkernel=384M-:128M" to the command line in the > > > startup script of QEMU. > > > > > > 5. After rebooting, kdump service can start successfully, and the > > > kdump-config shows: > > > > > > root@syzkaller:~# kdump-config show > > > DUMP_MODE:kdump > > > USE_KDUMP:1 > > > KDUMP_SYSCTL: kernel.panic_on_oops=1 > > > KDUMP_COREDIR:/var/crash > > > crashkernel addr: 0x7700 > > >/boot/vmlinuz-4.9.0-13-amd64 > > > kdump initrd: > > >/boot/initrd.img-4.9.0-13-amd64 > > > current state:ready to kdump > > > > > > kexec command: > > > /sbin/kexec -p --command-line="earlyprintk=serial oops=panic > > > panic_on_warn=1 nmi_watchdog=panic panic=86400 net.ifnames=0 > > > sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb > > > kvm-intel.nested=1 nf-conntrack-ftp.ports=2 > > > nf-conntrack-tftp.ports=2 nf-conntrack-sip.ports=2 > > > nf-conntrack-irc.ports=2 nf-conntrack-sane.ports=2 > > > vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 > > > netrom.nr_ndevs=16 rose.rose_ndevs=16 spec_store_bypass_disable=prctl > > > numa=fake=2 nopcid dummy_hcd.num=8 binder.debug_mask=0 > > > rcupdate.rcu_expedited=1 root=/dev/sda console=ttyS0 vsyscall=native > > > watchdog_thresh=55 workqueue.watchdog_thresh=140 console=ttyS0 > > > root=/dev/sda debug earlyprintk=serial slub_debug=QUZ irqpoll > > > nr_cpus=1 nousb systemd.unit=kdump-tools.service > > > ata_piix.prefer_ms_hyperv=0" --initrd=/boot/initrd.img-4.9.0-13-amd64 > > > /boot/vmlinuz-4.9.0-13-amd64 > > > > > > 6. When I execute the PoC, the current kernel crashes and then reboots > > > into the dump-capture kernel. However, the kernel log shows, it is in > > > emergency mode, > > > > > > You are in emergency mode. After logging in, type "journalctl -xb" to view > > > system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to > > > try again to boot into default mode. > > > > > > Finally, I would like to ask several questions: > > > 1) is the emergency mode due to the incorrect command line? > > > 2) is this the right way to generate kernel dump from QEMU VM? > > > 3) Any comments on the above procedures? > > > > > > Thanks very much in advance. > > > > > > [1] general protection fault in reiserfs_security_init > > > (https://syzkaller.appspot.com/bug?id=8abaedbdeb32c861dc5340544284167dd0e46cde) > > > > > > [2] https://github.com/google/syzkaller/blob/master/tools/create-image.sh > > > > > > -- > > > My best regards to you. > > > > > > No System Is Safe! > > > Dongliang Mu > > > > > ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [PATCH v2 09/12] x86/sev: Use AP Jump Table blob to stop CPU
On Mon, Sep 13, 2021 at 05:56:00PM +0200, Joerg Roedel wrote: > diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h > index 134a7c9d91b6..cd14b6e10f12 100644 > --- a/arch/x86/include/asm/sev.h > +++ b/arch/x86/include/asm/sev.h > @@ -81,12 +81,19 @@ static __always_inline void sev_es_nmi_complete(void) > __sev_es_nmi_complete(); > } > extern int __init sev_es_efi_map_ghcbs(pgd_t *pgd); > +void __sev_es_stop_this_cpu(void); > +static __always_inline void sev_es_stop_this_cpu(void) What's that for? IOW, the below seems to build too: --- diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 1f16fc907636..398105580862 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -87,12 +87,7 @@ extern enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, struct es_em_ctxt *ctxt, u64 exit_code, u64 exit_info_1, u64 exit_info_2); -void __sev_es_stop_this_cpu(void); -static __always_inline void sev_es_stop_this_cpu(void) -{ - if (static_branch_unlikely(&sev_es_enable_key)) - __sev_es_stop_this_cpu(); -} +void sev_es_stop_this_cpu(void); #else static inline void sev_es_ist_enter(struct pt_regs *regs) { } static inline void sev_es_ist_exit(void) { } diff --git a/arch/x86/kernel/sev.c b/arch/x86/kernel/sev.c index 39378357dc5a..7a74b3273f1a 100644 --- a/arch/x86/kernel/sev.c +++ b/arch/x86/kernel/sev.c @@ -694,8 +694,11 @@ void __noreturn sev_jumptable_ap_park(void) } STACK_FRAME_NON_STANDARD(sev_jumptable_ap_park); -void __sev_es_stop_this_cpu(void) +void sev_es_stop_this_cpu(void) { + if (!static_branch_unlikely(&sev_es_enable_key)) + return; + /* Only park in the AP Jump Table when the code has been installed */ if (!sev_ap_jumptable_blob_installed) return; --- And as previously mentioned s/sev_es/sev/ if those are going to be used on SNP guests too. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [PATCH v2] proc/vmcore: fix clearing user buffer by properly using clear_user()
On Fri, 12 Nov 2021 10:27:50 +0100 David Hildenbrand wrote: > To clear a user buffer we cannot simply use memset, we have to use > clear_user(). With a virtio-mem device that registers a vmcore_cb and has > some logically unplugged memory inside an added Linux memory block, I can > easily trigger a BUG by copying the vmcore via "cp": > > ... > > Some x86-64 CPUs have a CPU feature called "Supervisor Mode Access > Prevention (SMAP)", which is used to detect wrong access from the kernel to > user buffers like this: SMAP triggers a permissions violation on wrong > access. In the x86-64 variant of clear_user(), SMAP is properly > handled via clac()+stac(). > > To fix, properly use clear_user() when we're dealing with a user buffer. > I added cc:stable, OK? ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v2 2/2] s390/kexec: fix kmemleak
unreferenced object 0x38000195000 (size 4096): comm "kexec", pid 8548, jiffies 4294953647 (age 32443.270s) hex dump (first 32 bytes): 00 00 00 c8 20 00 00 00 00 00 00 c0 02 80 00 00 ... 40 40 40 40 40 40 40 40 00 00 00 00 00 00 00 00 backtrace: [<11a2f199>] __vmalloc_node_range+0xc0/0x140 [<81fa2752>] vzalloc+0x5a/0x70 [<63a4c92d>] ipl_report_finish+0x2c/0x180 [<553304da>] kexec_file_add_ipl_report+0xf4/0x150 [<862d033f>] kexec_file_add_components+0x124/0x160 [<0d2717bb>] arch_kexec_kernel_image_load+0x62/0x90 [<2e0373b6>] kimage_file_alloc_init+0x1aa/0x2e0 [<60f2d14f>] __do_sys_kexec_file_load+0x17c/0x2c0 [<8c86fe5a>] __s390x_sys_kexec_file_load+0x40/0x50 [<1fdb9dac>] __do_syscall+0x1bc/0x1f0 [<3ee4258d>] system_call+0x78/0xa0 Signed-off-by: Baoquan He Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") --- arch/s390/include/asm/kexec.h | 7 +++ arch/s390/kernel/machine_kexec_file.c | 9 + 2 files changed, 16 insertions(+) diff --git a/arch/s390/include/asm/kexec.h b/arch/s390/include/asm/kexec.h index ea398a05f643..bbe125dd0329 100644 --- a/arch/s390/include/asm/kexec.h +++ b/arch/s390/include/asm/kexec.h @@ -74,6 +74,13 @@ void *kexec_file_add_components(struct kimage *image, int arch_kexec_do_relocs(int r_type, void *loc, unsigned long val, unsigned long addr); +#define ARCH_HAS_KIMAGE_ARCH + +struct kimage_arch { +void *ipl_buf; +}; + + extern const struct kexec_file_ops s390_kexec_image_ops; extern const struct kexec_file_ops s390_kexec_elf_ops; diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c index 17e961975624..7f51837e9bc2 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -205,6 +205,7 @@ static int kexec_file_add_ipl_report(struct kimage *image, return ret; buf.bufsz = data->report->size; buf.memsz = buf.bufsz; + image->arch.ipl_buf = buf.buffer; data->memsz += buf.memsz; @@ -325,3 +326,11 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi, } return 0; } + +int arch_kimage_file_post_load_cleanup(struct kimage *image) +{ + kvfree(image->arch.ipl_buf); + image->arch.ipl_buf = NULL; + + return kexec_image_post_load_cleanup_default(image); +} -- 2.17.2 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v2 1/2] s390/kexec: check the return value of ipl_report_finish
In function ipl_report_finish(), it could fail by memory allocation failure, so check the return value to handle the case. Signed-off-by: Baoquan He --- arch/s390/include/asm/ipl.h | 2 +- arch/s390/kernel/ipl.c| 6 -- arch/s390/kernel/machine_kexec_file.c | 5 - 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/arch/s390/include/asm/ipl.h b/arch/s390/include/asm/ipl.h index 3f8ee257f9aa..864ab5d2890c 100644 --- a/arch/s390/include/asm/ipl.h +++ b/arch/s390/include/asm/ipl.h @@ -122,7 +122,7 @@ struct ipl_report_certificate { struct kexec_buf; struct ipl_report *ipl_report_init(struct ipl_parameter_block *ipib); -void *ipl_report_finish(struct ipl_report *report); +int ipl_report_finish(struct ipl_report *report, void **ipl_buf); int ipl_report_free(struct ipl_report *report); int ipl_report_add_component(struct ipl_report *report, struct kexec_buf *kbuf, unsigned char flags, unsigned short cert); diff --git a/arch/s390/kernel/ipl.c b/arch/s390/kernel/ipl.c index e2cc35775b99..a0af0b23148d 100644 --- a/arch/s390/kernel/ipl.c +++ b/arch/s390/kernel/ipl.c @@ -2144,7 +2144,7 @@ struct ipl_report *ipl_report_init(struct ipl_parameter_block *ipib) return report; } -void *ipl_report_finish(struct ipl_report *report) +int ipl_report_finish(struct ipl_report *report, void **ipl_buf) { struct ipl_report_certificate *cert; struct ipl_report_component *comp; @@ -2195,7 +2195,9 @@ void *ipl_report_finish(struct ipl_report *report) } BUG_ON(ptr > buf + report->size); - return buf; + *ipl_buf = buf; + + return 0; } int ipl_report_free(struct ipl_report *report) diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c index 528edff085d9..17e961975624 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -170,6 +170,7 @@ static int kexec_file_add_ipl_report(struct kimage *image, struct kexec_buf buf; unsigned long addr; void *ptr, *end; + int ret; buf.image = image; @@ -199,7 +200,9 @@ static int kexec_file_add_ipl_report(struct kimage *image, ptr += len; } - buf.buffer = ipl_report_finish(data->report); + ret = ipl_report_finish(data->report, &buf.buffer); + if (ret) + return ret; buf.bufsz = data->report->size; buf.memsz = buf.bufsz; -- 2.17.2 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH v2 RESEND 2/2] s390/kexec: fix memory leak of ipl report buffer
unreferenced object 0x38000195000 (size 4096): comm "kexec", pid 8548, jiffies 4294953647 (age 32443.270s) hex dump (first 32 bytes): 00 00 00 c8 20 00 00 00 00 00 00 c0 02 80 00 00 ... 40 40 40 40 40 40 40 40 00 00 00 00 00 00 00 00 backtrace: [<11a2f199>] __vmalloc_node_range+0xc0/0x140 [<81fa2752>] vzalloc+0x5a/0x70 [<63a4c92d>] ipl_report_finish+0x2c/0x180 [<553304da>] kexec_file_add_ipl_report+0xf4/0x150 [<862d033f>] kexec_file_add_components+0x124/0x160 [<0d2717bb>] arch_kexec_kernel_image_load+0x62/0x90 [<2e0373b6>] kimage_file_alloc_init+0x1aa/0x2e0 [<60f2d14f>] __do_sys_kexec_file_load+0x17c/0x2c0 [<8c86fe5a>] __s390x_sys_kexec_file_load+0x40/0x50 [<1fdb9dac>] __do_syscall+0x1bc/0x1f0 [<3ee4258d>] system_call+0x78/0xa0 Signed-off-by: Baoquan He Fixes: 99feaa717e55 ("s390/kexec_file: Create ipl report and pass to next kernel") --- RESEND: Fix the incorrect subject. arch/s390/include/asm/kexec.h | 7 +++ arch/s390/kernel/machine_kexec_file.c | 9 + 2 files changed, 16 insertions(+) diff --git a/arch/s390/include/asm/kexec.h b/arch/s390/include/asm/kexec.h index ea398a05f643..bbe125dd0329 100644 --- a/arch/s390/include/asm/kexec.h +++ b/arch/s390/include/asm/kexec.h @@ -74,6 +74,13 @@ void *kexec_file_add_components(struct kimage *image, int arch_kexec_do_relocs(int r_type, void *loc, unsigned long val, unsigned long addr); +#define ARCH_HAS_KIMAGE_ARCH + +struct kimage_arch { +void *ipl_buf; +}; + + extern const struct kexec_file_ops s390_kexec_image_ops; extern const struct kexec_file_ops s390_kexec_elf_ops; diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c index 17e961975624..7f51837e9bc2 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -205,6 +205,7 @@ static int kexec_file_add_ipl_report(struct kimage *image, return ret; buf.bufsz = data->report->size; buf.memsz = buf.bufsz; + image->arch.ipl_buf = buf.buffer; data->memsz += buf.memsz; @@ -325,3 +326,11 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi, } return 0; } + +int arch_kimage_file_post_load_cleanup(struct kimage *image) +{ + kvfree(image->arch.ipl_buf); + image->arch.ipl_buf = NULL; + + return kexec_image_post_load_cleanup_default(image); +} -- 2.17.2 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec